Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02dzYzLWgzZmotcTR2d84AAzr7
fast-xml-parser vulnerable to Regex Injection via Doctype Entities
Impact
"fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.
Patches
The problem has been resolved in v4.2.4
Workarounds
Avoid using DOCTYPE parsing by processEntities: false option.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02dzYzLWgzZmotcTR2d84AAzr7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-6w63-h3fj-q4vw, CVE-2023-34104
References:
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
- https://nvd.nist.gov/vuln/detail/CVE-2023-34104
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b
- https://github.com/advisories/GHSA-6w63-h3fj-q4vw
Blast Radius: 39.0
Affected Packages
npm:fast-xml-parser
Dependent packages: 1,935Dependent repositories: 157,710
Downloads: 76,639,865 last month
Affected Version Ranges: >= 4.1.3, < 4.2.4
Fixed in: 4.2.4
All affected versions: 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.2, 4.2.3
All unaffected versions: 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.1, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 3.0.0, 3.0.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.9.10, 3.9.11, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 3.12.13, 3.12.14, 3.12.16, 3.12.17, 3.12.18, 3.12.19, 3.12.20, 3.12.21, 3.13.0, 3.14.0, 3.15.0, 3.15.1, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.18.0, 3.19.0, 3.20.0, 3.20.3, 3.21.0, 3.21.1, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.1.0, 4.1.1, 4.1.2, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6